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Foreword 

The Federal Information Processing Standards Publication Series of the National Bureau of 
Standards (NBS) is the official publication relating to standards and guidelines adopted and promul- 
gated under the provisions of Section 111(d) of die Federal Property and Administrative Services 
Act of 1949 as amended by the Computer Security Act of 1987, Public Law 100-235. These man- 
dates have given the Secretary of Commerce and NBS important responsibilities for improving the 
utilization and management of computer and related telecommunications systems in the Federal 
Government. The NBS through its Institute for Computer Sciences and Technology provides 
leadership, technical guidance, and coordination of Government efforts in the development of 
standards and guidelines in these areas. 

Comments concerning Federal Information Processing Standards Publications are welcomed 
and should be addressed to the Director, Institute for Computer Sciences and Technology, National 
Bureau of Standards, Gaithersburg, MD 20899. 


James H. Burrows, Director 

Institute for Computer Sciences and Technology 


Abstract 

The selective application of technological and related procedural safeguards is an important responsibility of every 
Federal organization in providing adequate security to its ADP systems. This publication provides a standard to be used by 
Federal organizations when these organizations specify that cryptographic protection is to be used for sensitive or valuable 
computer data. Protection of computer data during transmission between electronic components or while in storage may be 
necessary to maintain the confidentiality and integrity of the information represented by that data. The standard specifies an 
encryption algorithm which is to be implemented in an electronic device for use in Federal ADP systems and networks. The 
algorithm uniquely defines the mathematical steps required to transform computer data into a cryptographic cipher. It also 
specifies the steps required to transform the cipher back to its original form. A device performing this algorithm may be used 
in many applications areas where cryptographic data protection is needed. Within the context of a total security program 
comprising physical security procedures, good information management practices and computer system/network access 
controls, the Data Encryption Standard is being made available for use by Federal agencies. This revision supersedes 
FEPS 46. 
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1988 January 22 

Announcing the 

DATA ENCRYPTION STANDARD 



Federal Information Processing Standards Publications (FIPS PUBS) are issued by the National Bureau of Standards after approval by 
the Secretary of Commerce pursuant to Section 111(d) of the Federal Property and Administrative Services Act of 1949 as amended by 
the Computer Security Act of 1987, Public Law 100-235. 

1. Name of Standard. Data Encryption Standard (DES). 

2. Category of Standard. ADP Operations, Computer Security. 

3. Explanation. The Data Encryption Standard (DES) specifies an algorithm to be implemented in elec- 
tronic hardware devices and used for the cryptographic protection of computer data. This publication pro- 
vides a complete description of a mathematical algorithm for encrypting (enciphering) and decrypting 
(deciphering) binary coded information. Encrypting data converts it to an unintelligible form called cipher. 
Decrypting cipher converts the data back to its original form. The algorithm described in this standard 
specifies both enciphering and deciphering operations which are based on a binary number called a key. The 
key consists of 64 binary digits (“0”s or “l”s) of which 56 bits are used directly by the algorithm and 8 bits 
are used for error detection. 

Binary coded data may be cryptographically protected using the DES algorithm in conjunction with a key. 
The key is generated in such a way that each of the 56 bits used directly by the algorithm are random and the 
8 error detecting bits are set to make the parity of each 8-bit byte of the key odd, Le., there is an odd number 
of “l”s in each 8-bit byte. Each member of a group of authorized users of encrypted computer data must have 
the key that was used to encipher the data in order to use it. This key, held by each member in common, is 
used to decipher the data received in cipher form from other members of the group. The encryption al- 
gorithm specified in this standard is commonly known among those using the standard. The unique key 
chosen for use in a particular application makes the results of encrypting data using the algorithm unique. 
Selection of a different key causes the cipher that is produced for any given set of inputs to be different. The 
cryptographic security of the data depends on the security provided for the key used to encipher and 
decipher file data. 

Data can be recovered from cipher only by using exactly the same key used to encipher it. Unauthorized 
recipients of the cipher who know the algorithm but do not have the correct key cannot derive the original 
data algorithmically. However, anyone who does have the key and the algorithm can easily decipher the 
cipher and obtain the original data. A standard algorithm based on a secure key thus provides a basis for 
exchanging encrypted computer data by issuing the key used to encipher it to those authorized to have the 
data. 

4. Approving Authority. Secretary of Commerce. 

5. Maintenance Agency. Institute for Computer Sciences and Technology, National Bureau of Standards. 

6. Applicability. This standard will be used by Federal departments and agencies for the cryptographic 
protection of computer data when the following conditions apply: 

1. An authorized official or manager responsible for data security or the security of any computer 
system decides that cryptographic protection is required; and 

2. The data is not classified according to the National Security Act of 1947, as amended, or the Atomic 
Energy Act of 1954, as amended. 
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However, Federal agencies or departments which use cryptographic devices for protecting data classified 
according to either of these acts can use those devices for protecting unclassified data in lieu of the standard. 

In addition, this standard may be adopted and used by non-Federal Government organizations. Such use is 
encouraged when it provides the desired security for commercial and private organizations. 

Data that is considered sensitive by the responsible authority, data that has a high value, or data that repre- 
sents 9 high value should be cryptographically protected if it is vulnerable to unauthorized disclosure or 
undetected modification during transmission or while in storage. A risk analysis should be performed under 
the direction of a responsible authority to determine potential threats. The costs of providing cryptographic 
protection using this standard as well as alternative methods of providing this protection and their respective 
costs should be projected. A responsible authority then should make a decision, based on these analyses, 
whether or not to use cryptographic protection and this standard. 

7 . Applications. Data encryption (cryptography) may be utilized in various applications and in various 
environments. The specific utilization of encryption and the implementation of the DES will be based on 
many factors particular to the computer system and its associated components. In general, cryptography is 
used to protect data while it is being communicated between two points or while it is stored in a medium 
vulnerable to physical theft. Communication security provides protection to data by enciphering it at the 
transmitting point and deciphering it at the receiving point. File security provides protection to data by 
enciphering it when it is recorded on a storage medium and deciphering it when it is read back from the 
storage medium. In the first case, the key must be available at the transmitter and receiver simultaneously 
during communication. In the second case, the key must be maintained and accessible for the duration of the 
storage period. 

8 . Hardware Implementation. The algorithm specified in this standard is to be implemented in computer or 
related data communication devices using hardware (not software) technology. The specific implementation 
may depend on several factors such as the application, the environment, the technology used, etc. Implemen- 
tations which comply with this standard include Large Scale Integration (LSI) “chips” in individual elec- 
tronic packages, devices built from Medium Scale Integration (MSI) electronic components, or other 
electronic devices dedicated to performing the operations of the algorithm. Micro-processors using Read 
Only Memory (ROM) or micro-programmed devices using microcode for hardware level control instructions 
are examples of the latter. Hardware implementations of the algorithm which are tested and validated by 
NBS will be considered as complying with the standard. Information about devices that have been validated 
and procedures for testing and validating equipment for conformance with this standard are available from 
the National Bureau of Standards, Institute for Computer Sciences and Technology, Gaithersburg, MD 
20899. Software implementations in general purpose computers are not in compliance with this standard. 

9 . Export Control. Cryptographic devices and technical data regarding them are subject to Federal Gov- 
ernment export controls as specified in Title 22, Code of Federal Regulations, Parts 121 through 128. Crypto- 
graphic devices implementing this standard and technical data regarding them must comply with these 
Federal regulations. 

10. Patents. Cryptographic devices implementing this standard may be covered by U.S. and foreign 
patents issued to the International Business Machines Corporation. However, IBM has granted nonexclusive, 
royalty-free licenses under the patents to make, use and sell apparatus which complies with the standard. The 
terms, conditions and scope of the licenses are set out in notices published in the May 13, 1975 and August 31, 
1976 issues of the Official Gazette of the United States Patent and Trademark Office (934 O. G. 452 and 949 
O.G. 1717). 

11. Alternative Modes of Using the DES. FIPS PUB 81, DES Modes of Operation, describes four different 
modes for using the algorithm described in this standard. These four modes are called the Electronic Code- 
book (ECB) mode, the Cipher Block Chaining (CBC) mode, the Cipher Feedback (CFB) mode, and the 
Output Feedback (OFB) mode. ECB is a direct application of the DES algorithm to encrypt and decrypt 
data; CBC is an enhanced mode of ECB which chains together blocks of cipher text; CFB uses previously 
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generated cipher text as input to the DES to generate pseudorandom outputs which are combined with the 
plain text to produce cipher text, thereby chaining together the resulting cipher text; OFB is identical to CFB 
except that die previous output of the DES is used as input in OFB while the previous cipher text is used as 
input in CFB. OFB does not chain the cipher text. 

12. Implementation of this standard. This standard became effective July 1977. It was reaffirmed in 1983 
and 1988. It applies to all Federal ADP systems and associated telecommunications networks under develop- 
ment as well as to installed systems when it is determined that cryptographic protection is required. Each 
Federal department or agency will issue internal directives for the use of this standard by their operating units 
based on their data security requirement determinations. 

NBS provides technical assistance to Federal agencies in implementing data encryption through the issuance 
of guidelines and through individual reimbursable projects. The National Security Agency assists Federal 
departments and agencies in communications security for classified applications and in determining specific 
security requirements. Instructions and regulations for procuring data processing equipment utilizing this 
standard are included in the Federal Information Resources Management Regulation (FIRMR) Subpart 
201 - 8 . 111 - 1 . 

13. Specifications. Federal Information Processing Standard (FIPS) 46-1, Data Encryption Standard 
(DES) (affixed). 

14. Cross Index. 

a. FIPS PUB 31, Guidelines to ADP Physical Security and Risk Management. 

b. FIPS PUB 39, Glossary for Computer Systems Security. 

c. FIPS PUB 41, Computer Security Guidelines for Implementing the Privacy Act of 1974. 

d. FIPS PUB 65, Guideline for Automatic Data Processing Risk Analysis. 

e. FIPS PUB 73, Guidelines for Security of Computer Applications. 

f. FIPS PUB 74, Guidelines for Implementing and Using the NBS Data Encryption Standard. 

g. FIPS PUB 81, DES Modes of Operation. 

h. FIPS PUB 87, Guidelines for ADP Contingency Planning. 

L FIPS PUB 112, Password Usage. 

j. FIPS PUB 113, Computer Data Authentication. 

k. Other FIPS and Federal Standards are applicable to the implementation and use of this standard. In 
particular, the Code for Information Interchange, Its Representations, Subsets, and Extensions (FIPS PUB 
1-2) and other related data storage media or data communications standards should be used in conjunction 
with this standard. A list of currently approved FIPS may be obtained from the National Bureau of 
Standards, Institute for Computer Sciences and Technology, Gaithersburg, MD 20899. 

15. Qualifications. The cryptographic algorithm specified in this standard transforms a 64-bit binary value 
into a unique 64-bit binary value based on a 56-bit variable. If the complete 64-bit input is used (Le., none of 
the input bits should be predetermined from block to block) and if the 56-bit variable is randomly chosen, no 
technique other than trying all possible keys using known input and output for the DES will guarantee 
finding the chosen key. As there are over 70,000,000,000,000,000 (seventy quadrillion) possible keys of 56 bits, 
the feasiblity of deriving a particular key in this way is extremely unlikely in typical threat environments. 
Moreover, if the key is changed frequently, the risk of this event is greatly diminis hed. However, users should 
be aware that it is theoretically possible to derive the key in fewer trials (with a correspondingly lower 
probability of success depending on the number of keys tried) and should be cautioned to change the key as 
often as practical. Users must change the key and provide it a high level of protection in order to minimize 
the potential risks of its unauthorized computation or acquisition. The feasibility of computing the correct key 
may change with advances in technology. A more complete description of the strength of this algorithm 
against various threats is contained in FIPS PUB 74, Guidelines for Implementing and Using the NBS Data 
Encryption Standard. 

When correctly implemented and properly used, this standard will provide a high level of cryptographic 
protection to computer data. NBS, supported by the technical assistance of Government agencies responsible 
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for co mmuni cation security, has determined that the algorithm specified in this standard will provide a high 
level of protection for a time period beyond the normal life cycle of its associated ADP equipment. The 
protection provided by this algorithm against potential new threats will be reviewed within 5 years to assess 
its adequacy (See Special Information Section). In addition, both the standard and possible threats reducing 
the security provided through the use of this standard will undergo continual review by NBS and other 
cognizant Federal organizations. The new technology available at that time will be evaluated to determine its 
impact on the standard. In addition, the awareness of any breakthrough in technology or any mathematical 
weakness of the algorithm will cause NBS to reevaluate this standard and provide necessary revisions. 

16 . Comments. Comments and suggestions regarding this standard and its use are welcomed and should be 
addressed to the National Bureau of Standards, Attn: Director, Institute for Computer Sciences and 
Technology, Gaithersburg, MD 20899. 

17 . Waiver Procedure. The head of a Federal agency may waive the provisions of this FIPS PUB after the 
conditions and justifications for the waiver have been coordinated with the National Bureau of Standards. A 
waiver is necessary if cryptographic devices performing an algorithm other than that which is specified in this 
standard are to be used by a Federal agency for data subject to cryptographic protection under this standard. 
No waiver is necessary if classified co mmuni cations security equipment is to be used. Software implementa- 
tions of this algorithm for operational use in general purpose computer systems do not comply with this 
standard and each such implementation must also receive a waiver. Implementation of the algorithm in 
software for testing or evaluation does not require waiver approval. Implementation of other special purpose 
cryptographic algorithms in software for limited use within a computer system (e.g., encrypting password 
files) or implementations of cryptographic algorithms in software which were being utilized in computer 
systems before the effective date of this standard do not require a waiver. However, these limited uses should 
be converted to the use of this standard when the system or equipment involved is upgraded or redesigned to 
include general cryptographic protection of computer data Waivers will be considered for devices certified 
by the National Security Agency as complying with the Commercial COMSEC Endorsement Program 
(CCEP) when such devices offer equivalent cost/performance features when compared with devices con- 
forming to this standard. Letters describing the nature of and reasons for the waiver should be addressed to 
the Director, Institute for Computer Sciences and Technology, as previously noted. 

Sixty days should be allowed for review and response by NBS. The waiver shall not be approved until a 
response from NBS is received; however, the final decision for granting the waiver is the responsibility of the 
head of the particular agency involved. 

18 . Special Information. In accordance with the Qualifications Section of this standard, reviews of this 
standard have been conducted every 5 years since its adoption in 1977. The standard was reaffirmed during 
each of those reviews. This revision to the text of the standard contains only editorial and other nonsubstan- 
tive changes, mainly to update the reference list, provide current names and addresses, and supplemental 
information issued after 1977. 

19. Where to Obtain Copies. Copies of this publication are for sale by the National Technical Information 
Service, U.S. Department of Commerce, Springfield, VA 22161. When ordering, refer to Federal Informa- 
tion Processing Standards Publication 46-1 (FIPSPUB46-1), and title. Payment may be made by check, 
money order, or deposit account. 
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Federal Information 
Processing Standards Publication 46-1 

1988 January 22 

SPECIFICATIONS FOR THE 

DATA ENCRYPTION STANDARD 



The Data Encryption Standard (DES) shall consist of the following Data Encryption Algorithm to 
be implemented in special purpose electronic devices. These devices shall be designed in such a way 
that they may be used in a computer system or network to provide cryptographic protection to 
binary coded data. The method of implementation will depend on the application and environment. 
The devices shall be implemented in such a way that they may be tested and validated as 
accurately performing the transformations specified in the following algorithm. 


DATA ENCRYPTION ALGORITHM 


Introduction 

The algorithm is designed to encipher and decipher blocks of data consisting of 64 bits under control 
of a 64-bit key.* Deciphering must be accomplished by using the same key as for enciphering, but 
with the schedule of addressing the key bits altered so that the deciphering process is the reverse of 
the enciphering process. A block to be enciphered is subjected to an initial permutation IP, then to 
a complex key-dependent computation and finally to a permutation which is the inverse of the 
initial permutation IP 1 . The key-dependent computation can be simply defined in terms of a 
function / called the cipher function, and a function KS, called the key schedule. A description of 
the computation is given first, along with details as to how the algorithm is used for encipherment. 
Next, the use of the algorithm for decipherment is described. Finally, a definition of the cipher 
function /is given in terms of primitive functions which are called the selection functions S, and the 
permutation function P . S b P and KS of the algorithm are contained in the Appendix. 

The following notation is convenient: Given two blocks L and R of bits, LR denotes the block 
consisting of the bits of L followed by the bits of R. Since concatenation is associative B X B 2 . . . B s , 
for example, denotes the block consisting of the bits of B x followed by the bits of B 2 . . . followed by 
the bits of B s . 

Enciphering 

A sketch of the enciphering computation is given in figure 1. 


^Blocks are composed of bits numbered from left to right, i.e., the left most bit of a block is bit one. 
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The 64 bits of the input block to be enciphered are first subjected to the following permutation, 
called the initial permutation IP: 

IP 


58 

50 

42 

34 

26 

18 

10 

2 

60 

52 

44 

36 

28 

20 

12 

4 

62 

54 

46 

38 

30 

22 

14 

6 

64 

56 

48 

40 

32 

24 

16 

8 

57 

49 

41 

33 

25 

17 

9 

1 

59 

51 

43 

35 

27 

19 

11 

3 

61 

53 

45 

37 

29 

21 

13 

5 

63 

55 

47 

39 

31 

23 

15 

7 


That is the permuted input has bit 58 of the input as its first bit, bit 50 as its second bit, and so on 
with bit 7 as its last bit. The permuted input block is then the input to a complex key-dependent 
computation described below. The output of that computation, called the preoutput, is then 
subjected to the following permutation which is the inverse of the initial permutation: 

IP 1 


40 

8 

48 

16 

56 

24 

64 

32 

39 

7 

47 

15 

55 

23 

63 

31 

38 

6 

46 

14 

54 

22 

62 

30 

37 

5 

45 

13 

53 

21 

61 

29 

36 

4 

44 

12 

52 

20 

60 

28 

35 

3 

43 

11 

51 

19 

59 

27 

34 

2 

42 

10 

50 

18 

58 

26 

33 

1 

41 

9 

49 

17 

57 

25 


That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its 
second bit, and so on, until bit 25 of the preoutput block is the last bit of the output. 

The computation which uses the permuted input block as its input to produce the preoutput block 
consists, but for a final interchange of blocks, of 16 iterations of a calculation that is described below 
in terms of the cipher function / which operates on two blocks, one of 32 bits and one of 48 bits, and 
produces a block of 32 bits. 

Let the 64 bits of the input block to an iteration consist of a 32 bit block L followed by a 32 bit block 
R. Using the notation defined in the introduction, the input block is then LR. 

Let K be a block of 48 bits chosen from the 64-bit key. Then the output L'R' of an iteration with 
input LR is defined by: 

(1) L=R 

R f =L ®f(R,K) 

where © denotes bit-by-bit addition modulo 2. 

As remarked before, the input of the first iteration of the calculation is the permuted input 
block. If L'R' is the output of the 16th iteration then R’L' is the preoutput block. At each 
iteration a different block K of key bits is chosen from the 64-bit key designated by KEY. 
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With more notation we can describe the iterations of the computation in more detail. Let KS 
be a function which takes an integer n in the range from 1 to 16 and a 64-bit block KEY as 
input and yields as output a 48-bit block K n which is a permuted selection of bits from KEY. 
That is 

(2) K n = KS(n y KEY) 

with K n determined by the bits in 48 distinct bit positions of KEY. KS is called the key 
schedule because the block K used in the n’th iteration of (1) is the block K n determined by (2). 

As before, let the permuted input block be LR . Finally, let L () and R () be respectively L and R 
and let L n and R n be respectively L' and R' of (1) when L and R are respectively L n - 1 and R n -\ 
and K is K n ; that is, when n is in the range from 1 to 16, 

(3) Ln — Rn - 1 

R n = Ln-! ®f{R n - 1, K n ) 


The preoutput block is then RiJj 16 . 

The key schedule KS of the algorithm is described in detail in the Appendix. The key schedule 
produces the 16 K n which are required for the algorithm. 

Deciphering 

The permutation IP 1 applied to the preoutput block is the inverse of the initial permutation 
IP applied to the input. Further, from (1) it follows that: 

(4) R=L' 

L=R' ®/(L', K) 

Consequently, to decipher it is only necessary to apply the very same algorithm to an enciphered 
message block , taking care that at each iteration of the computation the same block of key bits 
K is used during decipherment as was used during the encipherment of the block. Using the 
notation of the previous section, this can be expressed by the equations: 

(b) Rn - 1 Ln 

L n -\ = Rn ®AL n , K n ) 

where now R 16 L l6 is the permuted input block for the deciphering calculation and L 0 R 0 is the 
preoutput block. That is, for the decipherment calculation with J? 16 L 16 as the permuted input, 
K 16 is used in the first iteration, K l5 in the second, and so on, with K x used in the 16th 
iteration. 

The Cipher Function f 

A sketch of the calculation of f(R, K) is given in figure 2. 
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Figure 2. Calculation of f (R, K). 


Let E denote a function which takes a block of 32 bits as input and yields a block of 48 bits as 
output. Let E be such that the 48 bits of its output, written as 8 blocks of 6 bits each, are 
obtained by selecting the bits in its inputs in order according to the following table: 

E BIT-SELECTION TABLE 


32 

1 

2 

3 

4 

5 

4 

5 

6 

7 

8 

9 

8 

9 

10 

11 

12 

13 

12 

13 

14 

15 

16 

17 

16 

17 

18 

19 

20 

21 

20 

21 

22 

23 

24 

25 

24 

25 

26 

27 

28 

29 

28 

29 

30 

31 

32 

1 

Thus the first three bits of E{R) 

are the bits 

in positions 32, 1 and 2 of R while the last 2 bits 


oiE(R) are the bits in positions 32 and 1. 
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Each of the unique selection functions S u S 2 , . . S 8 , takes a 6-bit block as input and yields a 4- 
bit block as output and is illustrated by using a table containing the recommended S x : 

Si 


Column Number 


Row 

No. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 

0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 

1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 

2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 

3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13 

If Si is the function defined in this table and B is a block of 6 bits, then S x ( B ) is determined as 
follows: The first and last bits of B represent in base 2 a number in the range 0 to 3. Let that 
number be i. The middle 4 bits of B represent in base 2 a number in the range 0 to 15. Let that 
number be j. Look up in the table the number in the i’th row and /th column. It is a number 
in the range 0 to 15 and is uniquely represented by a 4 bit block. That block is the output 
Si (B) of Si for the input B. For example, for input 011011 the row is 01, that is row 1, and the 
column is determined by 1101, that is column 13. In row 1 column 13 appears 5 so that the 
output is 0101. Selection functions S u S 2 , . . ., S 8 of the algorithm appear in the Appendix. 

The permutation function P yields a 32-bit output from a 32-bit input by permuting the bits of 
the input block. Such a function is defined by the following table: 

P 


16 

7 

20 

21 

29 

12 

28 

17 

1 

15 

23 

26 

5 

18 

31 

10 

2 

8 

24 

14 

32 

27 

3 

9 

19 

13 

30 

6 

22 

11 

4 

25 


The output P(L) for the function P defined by this table is obtained from the input L by 
taking the 16th bit of L as the first bit of P(L), the 7th bit as the second bit of P(L), and so on 
until the 25th bit of L is taken as the 32nd bit of P(L). The permutation function P of the 
algorithm is repeated in the Appendix. 

Now let Si, . . ., S 8 be eight distinct selection functions, let P be the permutation function and 
let E be the function defined above. 

To define /(P, K) we first define B u . . ., B H to be blocks of 6 bits each for which 

(6) B l B 2 ...B« = K®E(R) 

The block /(P, K) is then defined to be 

(7) P(S 1 (P 1 )S 2 (P 2 )...S H (P«)) 
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Thus K ®E(R) is first divided into the 8 blocks as indicated in (6). Then each Bi is taken as an 
input to Si and the 8 blocks Si(B t ), S 2 (B 2 ), . . S H (B «) of 4 bits each are consolidated into a 
single block of 32 bits which forms the input to P. The output (7) is then the output of the 
function /for the inputs R and K . 
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APPENDIX 

PRIMITIVE FUNCTIONS FOR THE 
DATA ENCRYPTION ALGORITHM 

The choice of the primitive functions KS, S t , . . ., S g and P is critical to the strength of an 
encipherment resulting from the algorithm. Specified below is the recommended set of functions, 
describing S u . . ., S 8 and P in the same way they are described in the algorithm. For the 
interpretation of the tables describing these functions, see the discussion in the body of the 
algorithm. 

The primitive functions S„ . . ., S& are: 


S, 


14 

4 

13 

1 

2 

15 

11 

8 

3 

10 

6 

12 

5 

9 

0 

7 

0 

15 

7 

4 

14 

2 

13 

1 

10 

6 

12 

11 

9 

5 

3 

8 

4 

1 

14 

8 

13 

6 

2 

11 

15 

12 

9 

7 

3 

10 

5 

0 

15 

12 

8 

2 

4 

9 

1 

7 

5 

11 

3 

14 

10 

0 

6 

13 


S 2 


15 

1 

8 

14 

6 

11 

3 

4 

9 

7 

2 

13 

12 

0 

5 

10 

3 

13 

4 

7 

15 

2 

8 

14 

12 

0 

1 

10 

6 

9 

11 

5 

0 

14 

7 

11 

10 

4 

13 

1 

5 

8 

12 

6 

9 

3 

2 

15 

13 

8 

10 

1 

3 

15 

4 

2 

11 

6 
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The primitive function P is: 
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Recall that K m for l<ri<16, is the block of 48 bits in (2) of the algorithm. Hence, to describe KS> it is 
sufficient to describe the calculation of K n from KEY for n = 1, 2, . . 16. That calculation is 
illustrated in figure 3. To complete the definition of KS it is therefore sufficient to describe the two 
permuted choices, as well as the schedule of left shifts. One bit in each 8-bit byte of the KEY 
may be utilized for error detection in key generation, distribution and storage. Bits 8, 16, . . ., 64 are 
for use in assuring that each byte is of odd parity. 

Permuted choice 1 is determined by the following table: 

PC - 1 


57 

49 

41 

33 

25 

17 

9 

1 

58 

50 

42 

34 

26 

18 

10 

2 

59 

51 

43 

35 

27 

19 

11 

3 

60 

52 

44 

36 

63 

55 

47 

39 

31 

23 

15 

7 

62 

54 

46 

38 

30 

22 

14 

6 

61 

53 

45 

37 

29 

21 

13 

5 

28 

20 

12 

4 


The table has been divided into two parts, with the first part determining how the bits of C„ are 
chosen, and the second part determining how the bits of D (} are chosen. The bits of KEY are 
numbered 1 through 64. The bits of C„ are respectively bits 57, 49, 41, . . ., 44 and 36 of KEY , with 
the bits of D () being bits 63, 55, 47, . . ., 12 and 4 of KEY. 

With Co and D u defined, we now define how the blocks C n and Z>„ are obtained from the blocks C n -\ 
and D„-i, respectively, for n = 1, 2, . . ., 16. That is accomplished by adhering to the following 
schedule of left shifts of the individual blocks: 
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FIGURE 3. Key schedule calculation. 
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Iteration 

Number 


Number of 
Left Shifts 


1 1 

2 1 

3 2 

4 2 

5 2 

6 2 

7 2 

8 2 

9 1 

10 2 

11 2 

12 2 

13 2 

14 2 

15 2 

16 1 

For example, C 3 and are obtained from C 2 and D 2 , respectively, by two left shifts, and Cm and Dm 
are obtained from C 15 and Z) 15 , respectively, by one left shift. In all cases, by a single left shift is 
meant a rotation of the bits one place to the left, so that after one left shift the bits in the 28 
positions are the bits that were previously in positions 2, 3, . . ., 28, 1. 

Permuted choice 2 is determined by the following table: 

PC- 2 


14 

17 

11 

24 

1 

5 

3 

28 

15 

6 

21 

10 

23 

19 

12 

4 

26 

8 

16 

7 

27 

20 

13 

2 

41 

52 

31 

37 

47 

55 

30 

40 

51 

45 

33 

48 

44 

49 

39 

56 

34 

53 

46 

42 

50 

36 

29 

32 


Therefore, the first bit of K n is the 14th bit of C )t D ny the second bit the 17th, and so on with the 47th 
bit the 29th, and the 48th bit the 32nd. 
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